heads up: tcpwrappers support going away

James Cloos cloos at jhcloos.com
Wed Apr 23 08:31:27 EST 2014

>>>>> "DM" == Damien Miller <djm at mindrot.org> writes:

DM> This is an early warning: OpenSSH will drop tcpwrappers in the next
DM> release.

This will need a wider announcement.  Most auto-block solutions I've
looked at add entries to hosts.allow.  Everyone using such will need
to adapt their setup to cope.

Several use the notion of of a spawn line in hosts.allow.  With the
loss of tcpwrapper, openssh should add an option to run a command
for each incomming conenction (before it sends the banner, et alia)
which can check for abuse patterns and add (or expire) a packet filter.

The external should be expected to return zero to permit the connection
or non-zero to prevent it, plus perform any side-effects the admin wants.

James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

More information about the openssh-unix-dev mailing list